To create a cdb list

[Sinu Soman]

Hi,

While I writing a rule  I need to compare the filename with a cdb list that include whole the malware files list. For that I need to create a cdb list of malware files name.Where should I can collect that malware filenames.

[Pacome Kemkeu]

Hello Sinu, 

Here is a list of publicly available malware databases with their website links where you can collect malware names and other IOCs:

VirusTotal - https://www.virustotal.com/gui/home/search
MalwareBazaar - https://bazaar.abuse.ch/
MalShare - https://malshare.com/
Hybrid Analysis - https://www.hybrid-analysis.com/
ANY.RUN - https://app.any.run/

However, I would like to highlight that comparing file names might not be a good method for malware hunting since file names can change and be subject to numerous false positives (File names are usually not considered as IOCs in threat hunting).
Instead I'll recommend you use hashes for comparison. There is this blog post that shows how to detect and delete malicious files using a CDB list of their MD5 hashes . In the blog post, you also have a method to generate a large CDB list of malware hashes using a single command.

I hope you find this helpful.

[Sinu Soman]

Hello  Pacome Kemkeu,

Thank you for your valuable reply. You are right comparing the hashes of the file is the best way and also it will avoid numerous false positives. But in my logs there is no hashes to compare. Do you have any idea to solve this.

[Pacome Kemkeu]

In that case, you can proceed to compare file names. 
But, can you please give more insights on what you are trying to perform and how you are collecting your logs? Also maybe provide a sample of your log and your current rules.
These can be helpful in solving your issue.

[Sinu Soman]

In my case I have malware log file and it has a fieldname called "application name" and "filename". I need to be alerted if an blacklisted filename is detected in my system.